SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

25 July 2002 Eli Lilly Settles Data Exposure Case

Pharmaceutical manufacturer Eli Lilly and eight US states have agreed to a settlement in a case involving Lilly's inadvertent exposure of more that 650 customer e-mail addresses. In addition to paying a $160,000 fine to be split among the states, Lilly must improve internal security practices. -http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,72978,00.html[Editor's Note (Murray): Security managers take note. Do not be misled by the fact that the state was the plaintiff. A one-tme leak of only 650 names results in a $160K loss. I suspect that the cost of litigation was ten times that. ]

24 & 26 July 2002 Man Indicted for Accessing Wireless Network

Stefan Puffer has been indicted by a grand jury on two counts of fraud for accessing a wireless network at the county district clerk's office. Puffer allegedly accessed the network on March 8; on March 18, Puffer demonstrated to a county official and a newspaper reporter the ease with which he was able to access the network using only a laptop computer and an inexpensive wireless LAN card. The March 8 intrusion did no damage, but the network has been shut down because it lacked security. -http://www.chron.com/cs/CDA/story.hts/tech/news/1507766-http://www.theregister.co.uk/content/55/26397.html************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT! "Combat Web Application Attackers" - FREE 15-day WebInspect
Download http://www.sans.org/cgi-bin/sanspromo/NB57(2) FREE WEBINAR: Three Steps to 100% Secure Web Applications:
Featuring Hurwitz Group! http://www.sans.org/cgi-bin/sanspromo/NB58(3) How to keep web application integrity and thwart content defacement
- -- Unconditionally.
FREE WHITEPAPER http://www.sans.org/cgi-bin/sanspromo/NB59***********************************************************************

THE REST OF THE WEEK'S NEWS

29 July 2002 RIAA Hit with DoS Attack

RIAA.org, the web site of the Recording Industry Association of America (RIAA) was hit by a denial-of-service attack lasting from Friday, July 26 until today. No one has claimed responsibility for the attack, which comes after the RIAA endorsed legislation proposed by Representative Howard Berman (D-Calif.) which would allow copyright holders to hack back at peer-to-peer networks which violate copyright laws. -http://news.com.com/2100-1023-947072.html?tag=fd_top

26 July 2002 Perens Declines to Provide Details on DVD Hack for Fear of Violating DMCA

Bruce Perens had planned to reveal his method for circumventing the protections on US-bought DVD players that prevent them from playing most DVDs purchased in other "zones." His employer, Hewlett Packard, stepped in and convinced him not to disclose the details of his work at an open source convention because they were fearful he would be arrested and prosecuted for violating the Digital Millennium Copyright Act (DMCA). -http://zdnet.com.com/2100-1104-946792.html-http://www.wired.com/news/business/0,1367,54168,00.html

The American Civil Liberties Union (ACLU) has filed a lawsuit challenging several parts of the 1998 Digital Millennium Copyright Act (DMCA) on behalf of a young researcher. Ben Edelman evaluates filtering software used in public schools and libraries; the software often includes an encrypted list of banned sites. Edelman wants to decrypt and publish the banned list that accompanies N2H2's filtering software; he also wants to distribute the utility used to decrypt the list. -http://zdnet.com.com/2100-1106-946270.html-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=1253564

29 July 2002 Wireless Honeypot

Researchers at the Science Applications International Corporation (SAIC) have built the Wireless Information Security Experiment (WISE), a wireless honeypot designed to attract wireless hackers and to gather information on their activities. Due to the nature of wireless networks, it may be difficult to differentiate between deliberate war drivers and those who discover the network by accident. -http://online.securityfocus.com/news/552

26 July 2002 NIST Releases Two More Draft Security Guides

The National Institute of Standards and Technology's (NIST's) Computer Security Division has released two more draft guides for federal agencies: a highly technical wireless security guide and a security training guide for CIOs and program managers. Comments on the wireless guide are due September 1; comments on the training guide are due August 16. -http://www.fcw.com/fcw/articles/2002/0722/web-nist-07-26-02.asp

25 July 2002 Employees Fired in Grade Altering Scheme at Florida School

Three students have been expelled and two employees fired from Florida Memorial College for their involvement in a grade-altering scheme. Insiders in the registrar's office allegedly used their valid passwords to access and significantly change students' grades in exchange for money. An additional 69 people face disciplinary action. The scheme was discovered during a routine grade audit held in May. -http://www.miami.com/mld/miamiherald/news/local/3728808.htm

25 July 2002 New Security Specification for Flash Memory Cards

A group of five companies calling itself 5C has announced the creation of the Mobile Commerce Extension Specification for flash memory cards. 5C is hopeful the new specification will make flash memory cards useful and desirable to industries that store sensitive information like medical records and financial data. The specification, which can be used in all major flash memory card formats, will help prevent data from being stolen during wireless transmission, and will be inaccessible if the a lost card is found by a stranger. -http://news.com.com/2100-1040-946353.html

25 July 2002 Keeping Your Computer Safe

The author advises protecting yourself from lurking cyber dangers by choosing Macs or Linux over Microsoft products. If that is not a possibility, apply all patches, use anti-virus software, firewalls and a safe password. You should also employ secure practices, like not opening unexpected attachments, maintaining several e-mail addresses for various purposes, and being cautious about giving out personal information on the Internet. -http://news.bbc.co.uk/2/hi/technology/2143630.stm

25 July 2002 NASCIO Takes First Step Toward Forming ISAC

The National Association of State Chief Information Officers (NASCIO) has signed an agreement with the FBI's National Infrastructure Protection Center (NIPC) that will let the states receive computer and physical security threat alerts. The agreement is a step toward the establishment of an Interstate Information Sharing and Analysis Center (ISAC). -http://www.fcw.com/geb/articles/2002/0722/web-nipc-07-25-02.asp

25 July 2002 Police and Computer Science Students Collaborate in Tulsa

Police in Tulsa, Oklahoma are working with computer science students at the University of Tulsa to investigate cyber crimes. The students will learn how a forensic investigator works while the police will gain experience with new software tools and research techniques. -http://www.fcw.com/geb/articles/2002/0722/web-tulsa-07-25-02.asp[Editor's Note (Schultz): We badly need much more of this type of collaboration, yet I'd like law enforcement to go farther by requiring officers to take a variety of relevant computer science and other courses. ]

23 July 2002 National Cyber Security Strategy Plans to Extend Cyber Corps to State Level

Richard Clarke says the national cyber security strategy, due to be released in September, will extend the Federal Cyber Service Program, which provides scholarships to both undergraduate and graduate computer security students in exchange for two years of federal service employment, to the state level. The Cyber Service Program is also expected to receive $19 million for a supplemental funding bill to be voted on soon. -http://www.fcw.com/geb/articles/2002/0722/web-cyber-07-23-02.asp

23 July 2002 Microsoft Changes Vulnerability Reporting Method

Microsoft has removed secure@microsoft.com, the dedicated e-mail address for reporting vulnerabilities, from its "Alert Us" page; while Microsoft will continue to monitor the address, users are encouraged to report vulnerabilities by filling out a Web-based input form. The form is designed to provide the company with adequate information to begin investigations more quickly; often vulnerabilities reported at the web address required some back and forth communication before an investigation could be launched. Critics say the web form is not flexible enough and does not provide a "paper trail" to show when Microsoft was first notified of the vulnerability. -http://online.securityfocus.com/news/545

22 July 2002 The Long Arm of Cyber Law Reaches Beyond National Borders

Internet content is facing increasing scrutiny and legal action from governments around the world, regardless of where the offending content is hosted. For example, web sites allegedly run by two Italian men were deemed offensive, and Italian police replaced the images with a police unit insignia, despite the fact that the sites were hosted in the US. Differing laws regarding freedom of speech and the European Union's privacy laws are making it difficult for Internet businesses to know what to do. -http://www.cnn.com/2002/TECH/internet/07/22/borderless.internet.ap/index.html